Daniel Meissler posted an amazingly succinct, yet accurate, description of the tech behind the Meltdown and Spectre vulns. If you want to understand e[See the full post at: Best explainer yet for Meltdown and Spectre]

7 users thanked author for this post.

I think the absolute most important thing this article emphasizes is this:

The major risk consideration here is whether someone is able to run code on your machine.

Some things to discuss:

I don’t believe running a pure JavaScript script is what he means by “run code on your machine”. Usually that terminology refers to running machine code, i.e., compiled instructions. This matters if we’re talking about being exploited by viewing a web page.

We all run a LOT of machine code on our systems. Basically anything you didn’t write or vet and compile yourself falls into that category. And for a long time it’s been known that machine code could compromise your security. Yet people buy or download software and survive, because most of it actually is trustworthy. All of us already have processes in place to see to it we don’t run bad machine code. You can, for example, see almost all of what’s on the web without running any ActiveX / Add-ons to your browser.

Don’t be duped into thinking that only because you allow machine code to run only in user space or with low privileges (i.e., without UAC Administrators escalation) you are safe. While it may be true that certain things – such as actual malware you’ve somehow managed to get running – could be cut off from being able to do more damage or snooping, generally speaking the entire world of software is NOT out to get you. Very much software today is benign and valuable. In fact, there are those of us who ALWAYS run everything privileged, because it’s the most efficient and effective way to do computing, and guess what? No infections, no snooping. UAC actually offers almost no real protection, and Meltdown/Spectre show us why. Concentrate on not running malware in the first place, rather than what to do once it’s running. It doesn’t have to be inevitable that you’ll run malware!

All I advise is this: Learn more before acting.

Make sure to keep a level head and understand the risks and benefits before doing something to respond to the latest OMG! well-marketed set of vulnerabilities. Always remember that there are folks who want you to do things out of fear that will ultimately benefit them, and ponder this: Who will benefit if your computer is 30% slower?

V8 is the JavaScript engine in Google Chrome. It may be that not all JavaScript engines are equally vulnerable, though the information is still sketchy. I have already read that the engine underlying the Pale Moon browser (which I have chosen to use) doesn’t offer the same vulnerability.

This could also say that conceptually it’s not a bad idea to run an off-the-beaten-path browser whose internals are less likely to be taken advantage of.

And it also says that avoiding running scripts may now be approaching the level of importance as avoiding running executables. That’s a bit different than my prior take on the matter and requires further thought.

Someone has already mentioned the “noscript” add-on, and of course things like uBlock can prevent a lot of site scripts from even being downloaded. However, adding on executable code comes with its OWN risks and requirements for trust. I personally have been using uBlock Origin for quite some time in Pale Moon to afford extra protection from visiting known bad sites.

-Noel

8 users thanked author for this post.

Thank you for rationally talking us off the ledge. I feel comfortable doing some things to my computer, so I am not a complete noob. However, when there is talk of firmware updates, that starts to scare me a bit.

What would that kind of update entail? If it is downloading and running a program like “normal” updates, no problem. Honestly, I am getting the same feeling when I hear firmware update as I do each time I absolutely have to do an iOS update on my iPads, since it takes so long and basically rewrites the entire operating system… Should I be feeling this way about a firmware update? Can I assume very detailed instructions will be given should a firmware update be released?

Woody, you and the gang here are my lifeline, and I truly appreciate your efforts.

2 users thanked author for this post.

A firmware update is an update to the hardware (as opposed to the software/OS. It used to be that you had to boot from a source other than the HDD and install it. But nowdays, it is usually an executable that you download and double click on. The one thing you have to be careful of, though, is you don’t lose power to the device during the update because it can render the component unusable.

2 users thanked author for this post.

I worry that such firmware/microcode updates are “trap doors”, once taken, impossible to undo.

Wouldn’t it be cool if there was an application that had a pair of Radio Button controls, so we could try before and after against one another and see what the ramifications are. Maybe the update is innocuous, or maybe it causes havoc.

As it is, we’re pushed to “take the latest update [blindly] and not look back”. I just don’t see that as a good thing.

“I worry that such firmware/microcode updates are “trap doors”, once taken, impossible to undo.”

It may be that way, depending on the device in question.

Some devices block the installation of older firmware releases than whatever is installed already, so going backwards in case of unwanted effects may be difficult. On my C2D laptop, it would be easy to revert, since it will happily allow the user to overwrite its BIOS with the “same” version (which I have modified and reflashed many times), but my newer UEFI ‘puters… I really don’t know.

I don’t believe running a pure JavaScript script is what he means by “run code on your machine”.

The Mozilla devs have said that they intend to (or already have?) issue a patch to reduce the resolution of the timer available in JavaScript, which apparently is necessary to perform the attack via JS. It would not surprise me if there was another method discovered to thwart this attack from running at all, whether that be in the script interpreter or in an addon like NoScript. If NoScript were to simply ask permission for any script to have direct memory access, which it seems it would have to in order to make use of this vulnerability, that would block it quite effectively for the target audience of NoScript (not beginners, to say the least).

In fact, there are those of us who ALWAYS run everything privileged, because it’s the most efficient and effective way to do computing, and guess what?

I thought about that very fact last night. If you run with admin privileges all the time, it would seem that this exploit has no value whatsoever, as its whole purpose is privilege escalation in terms of memory reads. No escalation is needed if you’re already running the errant process with admin rights.

This is a real issue, but it seems like one that’s a lot smaller than the hype would suggest. At this time, I have no plans to allow performance-robbing fixes on Windows or Linux. Good code doesn’t come out of hurrying to get something out quick– it is possible that an elegant, efficient fix is out there somewhere, just waiting to be discovered/invented. Until then, I will reserve my panic for when an actual drive-by infection is confirmed in the wild, and that it is further confirmed that the attack vector in use is one that I am susceptible to.

8 users thanked author for this post.

In fact, there are those of us who ALWAYS run everything privileged, because it’s the most efficient and effective way to do computing, and guess what?

I thought about that very fact last night. If you run with admin privileges all the time, it would seem that this exploit has no value whatsoever, as its whole purpose is privilege escalation in terms of memory reads. No escalation is needed if you’re already running the errant process with admin rights.

Thanks for taking up this aspect of the discussion.

One thing that has been worrying me is that people have been led into a false sense of security by the visible promise that UAC will protect them. I have always believed that it’s false, and these particular exploits now show that it truly is. It’s tough to make things foolproof because fools are ingenious.

Instead of being wary of running anything in any way, users have been led to believe they can safely run any old software on their computers/devices because they’re perfectly internally protected (“sandboxed”) from doing harm. People often think that if they don’t allow things at a UAC prompt, or if they only run things in a non-privileged account, then they’re invulnerable. It isn’t so! And I’m not even talking about the [more than?] occasional “Oops, I shouldn’t have clicked [Yes] for that!”

Did/does this visible privilege escalation overhead cause people to be more cavalier about downloading and running things, thus exposing them to GREATER risk than if they simply weren’t led to believe they are protected? I personally think so.

And now we’re learning that JavaScript, which was supposed to be interpreted and well-protected against doing anything it’s not supposed to do is actually capable of being exploited because the engineers have turned it into essentially a compiled language. What were they thinking? Beat the other browsers’ performance at all costs? Deliver more glitz in browsers, because glitz sells more?

I’ve always felt it is safer to lock the front and back doors and only entertain a few trusted friends occasionally than to invite all the neighborhood in all the time and try to watch them all carefully to ensure no one takes the silverware. It seems to work. I never allow executable code to be downloaded/run by a browser without my specific involvement. And now it’s looking more and more like it’s high time to be even more selective about what sites are allowed to run scripts.

-Noel

5 users thanked author for this post.

I completely agree that UAC should not be seen as a panacea. When you think about it, UAC only (and in theory only, because in practice it doesn’t even seem to work that well for smarter bad code) prevents a user code from doing admin reserved things.

To simplify what it means, it just means that if it worked, the bad software could only do what you can do as a user with a limited account on your computer, which is a lot! It could read and modify or delete all your user files. It could auto start when you start your computer, spy on you, basically control your computer as if you were sitting there. It could also launch code to try to trick you into elevation and grant more power, asking for your admin password looking like it is a legitimate Windows prompt. That is the minimal thing it could do. I am not even starting the discussion on the ways UAC can be circumvented.

What seems to happen though in this particular case is a bit different to me than you running as admin. Running your browser as admin, you might not expect a javascript to do bad things or consult admin reserved memory space outside the browser. Unfortunately, this barrier seems to be broken. Being a user of noscript, I feel that the majority of the web experience is broken if you don’t enable javascript, unlike with ActiveX, so this can be potentially bad if no better fix is found.

In the end, it might turn out that the javascript issues might be mitigated and then the risk will be much less important. We have to wait and see.

When I read what you wrote Noel, I feel like you describe an old view of code like in early 90s when viruses were code added to executables, no offense intended.

From what I understand, buffer overflows and similar attacks changed the whole game about this. You can’t say anymore that there is a distinction between code and document, as if you have a vulnerability, for example in your browser, anything thrown at it by the web as a file have the potential to be turned to code. That is the idea of the buffer overflow. It is a code injection technique that doesn’t need code to be injected, just a vulnerable program reading information from somewhere. Basically, your browser reads a tainted image, code is hidden in the image and is run by your browser because of the vulnerability exploited. But it needs a vulnerability to work and it needs to not get catched by an anti-exploit kit. Of course, your point is still valid when you don’t have a vulnerability in the first place.

In this case, it is different. The vulnerability makes it so that you can read parts of memory that are not supposed to be read. It doesn’t grant you access to user code directly like a buffer overflow would.

Maybe combining this vulnerability in a malware that exploits this in conjunction with an exploit for another vulnerability coud lead to privilege escalation on a vulnerability that would normally be only confined to user space. It would be bad, but in my book, it would already be bad to be compromised at the user level anyway. In big corporations, maybe the potential for harm is much greater if getting privilege escalation helps you gather other info you can use to hack more desirable targets inside.

But I understand that for someone like you, avoiding the malware in the first place and being generally patched, your risk is confined to a 0-day exploit not catched by your black lists maybe, so then this distinction between code and document generally stands.

2 users thanked author for this post.

Good points, thanks. It’s clear a good security strategy is a concerted, interconnected thing, not a fragmented set of disparate activities.

It really underscores that a “take this update and be protected against the latest nasties but everything will be 30% slower” vs. “don’t take this update [or any further updates] and become more and more exposed” choice is worrisome.

1 user thanked author for this post.

Intel Ivy Bridge is stated below to be the oldest Processor to be Patched (5-Yr Age Limit) . That leaves out Sandy Bridge (Q3 ’11 birth ).

Other than a new computer it wouldn’t appear we have Options. Right?

What Next? suggestions will be appreciated by us Sandy Bridge users somewhere in the Blog. A Non-Patch-able User Thread would seem logical Vs getting lost in a what-to-do-next Thread for Patching users.

I tried to put part of the article URL in here and got 100 lines of gibberish that seems impossible to delete. Article from Tom’s Hardware CPU News.

Intel announced that it has already started issuing updates to five-year-old CPUs or newer, which should include the Ivy Bridge generation, which came out in 2012, and later. However, we know from the researchers who discovered Meltdown that the bug affects Intel CPUs at least as old as 2011, and potentially all the CPUs Intel has built since 1995, with a few exceptions. This could mean that a significant portion of the Intel CPUs out there will be left vulnerable to attacks, as most people refresh their computers after five years.

1 user thanked author for this post.

I think we have yet to see how or when any of this is exploited and how effective it is. Also the patches and firmware updates may get tested and we will also see how if any speed is negatively affected. A lot of this is speculation as to how this will be mitigated. I read a ton of theories and very little about anything out there trying to exploit this yet. Since this issue has been around since 1995 or so and nobody has taken advantage of it. In fact nobody has even found a proof of concept until last year. I have to wonder if this is all very much over hyped hysteria over nothing.

2 users thanked author for this post.

My preliminary understanding is that the OS kernel and other software mitigations for “Meltdown” will not be completely provided within the January “security only” patches. It appears everyone is going to need to consider moving to Group A to address this set of issues. I understand that Intel is releasing microcode updates for their processors but have not been able to nail down what is happening from a short visit to Intel’s website. Any information anyone has on this, I would find interesting and useful.

1 user thanked author for this post.

“I understand that Intel is releasing microcode updates for their processors but have not been able to nail down what is happening from a short visit to Intel’s website. Any information anyone has on this, I would find interesting and useful.”

If your CPU has CPUID of 306c3, 306d4, 306f2, 40651, 406e3, 406f1, 50654, 506c9, 806e9, or 906e9, then my interpretation of this link is that a microcode update has already been created for your CPU.

2 users thanked author for this post.

Do these CPU microcode updates that are supposed to be required have a performance penalty like the OS-based updates?

What degree of protection is offered by updating just one or the other (microcode xor OS) compared to doing both, which we’re told is necessary? Are both of them truly necessary to get any benefit, or is it that both are required to get ALL of it?

If I block the Windows patch via the registry key, will the other security updates contained in the same update and in all the ones after that still be installed, or is it just a brute-force “block all until the antivirus gets patched?”

If Windows Defender (which I am using) updates to the point that it sets the “all clear to patch” registry key, can I edit that and expect the edit to stick (ie keep blocking updates), or will Defender keep setting the key?

What happens when you have more than one antimalware program installed? I have Defender and Malwarebytes Anti-Exploit (free). If Defender (which still has itself registed as the One True Antivirus on the system) sets the “all clear” key, but MBAE is not compatible, then what? MBAE is not intended to be a full antimalware; it is meant to work in addition to one.

Does the key simply prevent the installation of the anti-Meltdown patch, or does it prevent it from running if installed? I am leaning toward the former now… I had thought it was the latter, like the Linux patch, but now I am not so sure.

It’s kind of weird how they seem to be doing it. If the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat contains a value whose name is a specific UUID, with a value of 0, it will consider that a go-ahead for the Meltdown patch. It doesn’t say what other values do; it merely states that setting it to 0 will get you the patch. Seems backwards that an assumed null value (no key) does not mean the same as an enumerated null value of literal zero.

I wonder if it would be possible to delete that UUID value and set the key’s permissions to block anyone but members of Administrators from changing it.

3 users thanked author for this post.

I can give one answer here.
Lack of the Registry key prevents it from being offered by WU. It does not block manual installation of the patch. I tried yesterday with Win7, Win8.1 and Win10 1709.
Without the key, I was able to manually install both the SO and Rollup on Win7, the SO on Win8.1 and the CU to 16299.192 on 1709. This in VMs, of course, so not risking BSOD and loss of use.

2 users thanked author for this post.

Noel Carboni said:
I found the key/value to already exist on my Win 7 system running Microsoft Security Essentials, which keeps itself up to date, but the system does NOT check automatically for Windows Updates.

It seems that those with AMD CPUs will probably get their PCs bricked after installing either the Meltdown patch, or the latest Win OS Quality Rollup. And of course, the irony is that AMD CPUs are immune to the Meltdown bug.

Not quite. I, and many others with Avast, have the registry key but are not being offered the update. As to why not is a mystery, Avast say they’re on Microsoft’s verified list or whatever it is, but still no update showing. This has been brought up in the other thread here.

I’m Win 7 sp1 x64, MS Security Essentials, core i3. Yesterday Windows Update offered the January Rollup to me and removed the December Rollup, but today the January Rollup is gone having been replaced with the DECEMBER rollup.

I can give one answer here.
Lack of the Registry key prevents it from being offered by WU. It does not block manual installation of the patch. I tried yesterday with Win7, Win8.1 and Win10 1709.
Without the key, I was able to manually install both the SO and Rollup on Win7, the SO on Win8.1 and the CU to 16299.192 on 1709. This in VMs, of course, so not risking BSOD and loss of use.

Lack of the Reg key kept the update from appearing in Windows Update.
But I was able to install manually in the absence of the Reg key on three different version.
On another one, I manually added the Reg key and the update appeared in Windows Update. – But that’s asking for trouble, right?

2 users thanked author for this post.

So if the installer sets the key, the key cannot be taken as a true token of Antivirus compatibility compliance. It only assures that future key checks do not create a conflict, and has no bearing on an actual Antivirus making calls on the kernel.

True and accurate. But it does suggest a very high degree of coincidence. That could resolve into the installer did it, or that the Antivirus took that opportunity to do it, or that some other unknown agent chose that moment to set the same key. From the limited information, I cannot declare the cause. Only observe the likely-hood.

1 user thanked author for this post.

“What degree of protection is offered by updating just one or the other (microcode xor OS) compared to doing both, which we’re told is necessary? Are both of them truly necessary to get any benefit, or is it that both are required to get ALL of it?”

Malwarebytes is compatible with the MS patch. See the following link on Malwarebytes’ site for more info: Click here, and read the first sentence (which begins with the word “Update”) on the page below the headline.

Open Malwarebytes and click on the “Dashboard” option on the left side of the window if it’s not already highlighted in green. Now, under the heading “Scan Status” on the right side of the window, click on the link in blue that says “Check for updates” next to the word “Updates:”. This will download the latest Malwarebytes Database update which will bring you into compatibility with receiving the patch, because its version number will be greater than the minimum required of 1.0.3624.

Ascaris said:
If Windows Defender (which I am using) updates to the point that it sets the “all clear to patch” registry key, can I edit that and expect the edit to stick (ie keep blocking updates), or will Defender keep setting the key?

On my Win 7 x64 with Windows Defender, there was no HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat registry key.

After updating Win Defender twice (06 & 07 Jan 2018), as well as performing a quick system scan, the registry key still doesn’t exist.

Yet Microsoft claimed (03 Jan 2018) that Win Defender is compliant with the Meltdown KB patch. So what gives ?

Each time I have read one of these stories of conflicting information, I wonder about the habits involved. Specifically, are you in the habit of daily or weekly powering down and coldbooting your operating system. This is still important in Win7. Others could give better opinions of later WinOSes.

Now that I have reread your post, and unable to say for sure if your anonymous voice is one I’ve read before, I must point out that Vista had Defender as a useful tool. Win7 introduced the NEW AND IMPROVED BETTER THAN THAT OLD THING Microsoft Security Essentials. Before Win8 and later resurrected the old name for a new tool that is not available for Win7.

My personal view is that MSE on Win7 and Defender on Win8&10 have become identical levels of protection, within the limits of the appropriate OS. But the Defender that you find in Win7 is not. If I read you, and possibly others, correctly you should install MSE on your Win7 system, or chose your favorite 3rd party protection.

Paul said:
Specifically, are you in the habit of daily or weekly powering down and coldbooting your operating system.

Yes, I shut down & cold-boot my Win 7 at least once daily. And I have cold-booted the system 3 or 4 times since the last 2 Win Defender updates over the past 2 days. May I know the relevance ? So far, Win Defender has never requested or forced a system reboot after updates, even when the engine version (mpengine.dll) gets updated. (I have a habit of checking which EXEs, DLLs & VDMs Win Defender replaces after an update.)

But the Defender that you find in Win7 is not. If I read you, and possibly others, correctly you should install MSE on your Win7 system, or chose your favorite 3rd party protection.

Thanks for the advice. I’m not a fan of Win Defender (or any Microsoft malware solutions, including MSE) though. I prefer applications that allow more user customization & control, so since day 1, I’ve been using 3rd-party antivirus for real-time protection, supplemented by a couple of standalone malware scanners for on-demand 2nd-opinion scanning.

Since Win Defender was shipped with Win 7 (without me having any say in it), I set it to disabled as soon as Win OS is installed, & periodically check for updates whenever there are any reported vulnerabilities. Likewise for IE browser, even though I never use it. It’s like making sure that sickly-prone people in the same house (otherwise known as Win OS) get their critical vaccinations & medicine when the need arises.

After checking that Win Defender got updated & runs correctly (thus the perfunctory quick system scan after an update), I set the service (which I enabled in order to run Win Defender) back to disabled again.

Still no sign of that HKLM registry key to date … Oh, perhaps Win Defender needs to be running continuously for at least 24 hrs (hence Win OS must NOT be shut down or rebooted for at least 24 hrs), before Win Defender slowly decides to set that registry key ? 🙂

On your first question, ‘May I know the relevance?’ In your now described case, it is not relevant. Win7 has been shown to delay implementing a variety of changes until the next powerdown/restart cycle. People who choose to run until the power goes out often wonder why their system does not respond well. As you point out this is not your habit.

For the remainder, I regret to be still confused and cannot offer a sensible solution. If you have disabled Defender from the beginning, and use a 3rd party product that serves you better, the key should be set by that product, if it is compliant.

But in all cases the current advice on AskWoody is wait for these things to cooperate better. There is not a current threat ‘in the wild’, and the fix is causing problems. Operate normally until one of those conditions changes.

Paul said:
“If you have disabled Defender from the beginning, and use a 3rd party product that serves you better, the key should be set by that product, if it is compliant.”

The majority of the 3rd-party antivirus vendors have not pushed out a fully-compliant update yet — ie. supports Meltdown patch AND also sets the required registry key. Even though several vendors have made their products refrain from making unsupported calls into kernel memory, most have not included the additional fix for the registry key.

Since Microsoft is the very first to claim (03 Jan 2018) that Win Defender & MSE are fully compliant, & since my system lacks the registry key, I thought it was a good opportunity to check if an updated Win Defender does what MS claims.

I still don’t have the registry key, but my plan was to backup & delete the compliant registry key if Win Defender did set it. Considering the uncertainty over the patch’s safety, I’m not in a hurry to install MS’s Meltdown KB patch soon.

1 user thanked author for this post.

I read that you do not intend to install this update yet, and so will continue to write in the theoretical as you are. But I will make observations as I have experienced them.

Microsoft Security Essentials will set the QualityCompat key under normal operation in a clear Win7 system. Windows Defender will set the QualityCompat key under normal operation in a clear Win8or10 system. In the last 24h there have been some additional requirements and outcomes put in place. Specifically addressing AMD chips, but possibly other qualifying details as well.

I would not recommend manually setting this key except for test purposes in a controlled condition. And I would not recommend allowing any other agent to set this key but the Antivirus protection that would be the daily used realtime protection from this date forward. But none of this matters in the theoretical situation that you do not intend to follow.

I remain unclear on using the Vista-age version of defender that was a different product. This is the protection that came with Win7(no service pack installed) as originally packaged. But Microsoft changed their protection design during the period that Win7 was sate of the art. They made Defender, as it is available for Win7, less desirable by removing capabilities in order to get everyone to use the then new product, Microsoft Security Essentials. In my limited understanding this is the only currently supported Microsoft product for realtime Antivirus Antispyware Antimalware and Network protection for the Win7sp1 operating system environment. The thing called Defender today is the name of the equivalent product for use in the Win8&10 environments. But that is not the same product from the Vista era. Microsoft decided to reuse the name for a different product. If I read you correctly, a big if, I thought this misunderstanding may be the cause of your not getting the key set by your ‘Defender’ in the Win7 environment. If you are choosing to use that word as a placeholder for MSE so that you only refer to one name for all cases of current Windows systems, then I have misunderstood from the beginning of this dialog. And apologize for my confusion.

None of what I have detailed above applies to the other cited experiences of others, as I have read them. If following the way I look at details does not match with yours, I again sincerely apologize.

The most important idea is that, whatever protection you choose to use, it should be supported by frequent updates, compliant to Microsoft’s changing requirements, and the same as you will use going forward. If this has been more confusing than enlightening, please ignore it.

Ron (08 Jan 2018):
The environment I am supporting has machines running Windows 7, Server 2008R2, 2012R2, and 2016. All the machines are running different versions of System Center Endpoint Protection and are patched via WSUS 2012 R2.

I would say that only 20% of the machines are being offered the Meltdown and Spectre patch. On the machines that are being offered the patches, I find no trace of the the QualityCompat registry key. I have checked on the machines with the latest version of System Center Endpoint Protection client and on machines with older versions of the End Point client. Is Microsoft not using the same registry key for their own AV products?

On machines that are not being offered the patches, I have added the QualityCompat key and had some success in getting them to be offered the patch after rebooting the server. It seems that the patch/AV registry check process is faulty.

1 user thanked author for this post.

At a separate askwoody thread, there is another case of the latest-updated Windows Defender failing to set the compliant registry key.

James Bond 007 said (<span class=”bbp-reply-post-date”>January 7, 2018 at 7:57 am):</span>
(4) Reactivated Windows Defender, instructed it to check and install the latest updates, then deactivated it again.
(5) Reboot the virtual machine, and that registry value still has not been set.

2 users thanked author for this post.

OscarCP said:
What about embedded systems? In cars, airplanes, public utilities, anything with “smart” in the name …

Some are Internet connected for monitoring and control, some are not, but have ports to attach testing equipment…

What about the multi millions of ATM machines with ancient, never-updated backends ? Is it now much easier to steal PINs ?

Or subway stations (in so-called “Smart Nations”) that disallow cash, but force riders to purchase or top up their subway pass using bank/credit/debit cards & smartphones at “smart” terminals that are likely powered by CPUs & OSes that are older than 15 years ?

And also, what about businesses (again in so-called “Smart Nations”) that increasingly compel customers to pay “digitally” using their internet-connected Android/iOS/etc phones ? Do the multitude of Android OS versions even get regular updates ?

One thing I don’t really understand and maybe some could try to answer here.

I didn’t read much about the technicalities of the flaws. I thought things would be more clear later and I didn’t want to spend too much time in speculations, so please excuse me if my question might seem obvious.

From what I understand, the flaw implies that one of the worst case scenarios could be your private memory is read by some website you browse to that includes a tainted javascript. Ok. Now, I understand a lot of important info can be read.

But, does it have to be in memory? Can your hard disk files be read easily?

Or would the bad software need to dump the info read into an analyzer that could extract anything of interest to reuse it? And then if it wanted to have access to your files, it would need to use the information to have access to your computer, which might be or not that difficult depending on your specific context?

Do the bad software only get access to random specific parts of admin memory or can it read everything quickly and dump it? If it is only small parts of memory, maybe trying to extract useful information will be like looking for a needle in a haystack?

Suppose the software gets your admin password. Then what can it do with it if you are just a home user behind a router with no open ports to the outside? I see how damaging this could be to an organization where an admin password would get stolen and then you attack a normal user on the network with social engineering attacks to install some trojan and then use his computer to do much more damage internally, but what would be the motivation and effort required to attack a normal home user? Suppose my password is stolen. Can an attacker do anything with it unless it creates another way through my computer that requires another vulnerability? Of course if I use remote access programs on my computer, things might be different. Being behind a router on a desktop is one situation. On the road with a laptop that didn’t disable tools to have remote access to the registry or remote desktop is a different thing.

The answer to these questions might help evaluate the real world risk of the issue.

3 users thanked author for this post.

Some other aspects: From Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it: “This information leakage can be used directly; for example, a malicious JavaScript in a browser could steal passwords stored in the browser. It can also be used in tandem with other security flaws to increase their impact. Information leakage tends to undermine protections such as ASLR (address space layout randomization), so these flaws may enable effective exploitation of buffer overflows.”

The bugs allow hackers to potentially read information stored on a computer memory and steal information like passwords or credit card data.

Technology analyst Jake Saunders from ABI Research said it was not exactly clear what information might be at risk, but as the security gaps had been exposed “the question is whether other parties can discover and potentially exploit them”.

The BBC understands the tech industry has known about the issue for at least six months – and that everyone involved, from developers and security experts had signed non-disclosure agreements. The plan, it seems was to try to keep things under wraps until the flaws had been fully dealt with.

But ultimately, it does not boil to a single user in terms of patching diligence & personal behaviour/ IT hygiene.

For instance, all the 3rd-party service providers that you supply your important credentials (even via manual typing) surely write to & recall the info from somewhere (memory & physical disk) for authentication. In other words, they certainly aren’t storing user info in human brains & using eyeball power to perform authentication. Would all of their PCs be patched, especially for non-giant service providers ?

Also, there are “Smart Nations” where the government happily stores everyone’s entire range of info within a single national online database for all public institutions (govt departments, schools, police, courts, etc.) & commercial entities (eg. hospitals, banks, insurance agents, etc.) to access upon request. Would all of their CPUs & vulnerable software be patched ? Probably not.

4 users thanked author for this post.

Given the lack of scenario information I have been trying to imagine “use cases” of these vulnerabilities.

This is speculation so far… What if…

You visit a malicious page. Sites serving such pages are probably not going to be common, but let’s say there are enough out there that even though you might surf cautiously and you might have ad and malware blockers, you end up at one that delivers a script that for your particular browser can read blocks of your computer’s memory.

Let’s say it can do so reasonably rapidly, so while you’re reading whatever’s on the page (or watching a long video or whatever) your browser is busy dumping memory into packets that are being uploaded to a waiting system, which is gobbling up those packets and putting the raw data into a database. Let’s assume typical internet speeds of up to a few megabytes per second could be uploaded.

A question is: What memory? It would make a difference if it were any and all memory on the system vs. just the browser’s memory. In the latter case you could develop the habit to ALWAYS close your browser after you’ve used it to log into your bank web site, for example, and that would help keep you more secure.

But let’s assume it can access any and all of the memory on your system. Gigabytes upon gigabytes. Then the question morphs into: What’s left in the memory on your system and where after you’ve done certain things. Again, it will matter not only whether it’s possible something important to your safety and security is in there (which it almost certainly is at least sometimes), but how expensive it will be to find it and exploit it.

Now, maybe there are important things in your RAM in certain, known places because of the way the OS works. That’s almost certainly true. These will be targets of those who wish to exploit you inexpensively and quickly.

And if there are databases accumulated with huge blocks of information from your RAM that may contain valuable bits, let’s not forget the bad guys have computers with which to comb through the data later. Will you be subject to an attack in the future, presuming you don’t change your passwords regularly?

We can try the hypothesis that if it’s more difficult to get your username, password, or other sensitive data (not to mention difficult to actually USE them once obtained) than it is to work at a real job, it’s less likely we’ll be targets for exploit. But there are always exceptions. Those who might think it’s “cool” to break into things. To some extent this is all a societal problem (as in, “If it weren’t a given that every vulnerability would certainly be exploited by SOME miscreant somewhere, we wouldn’t be in this mess“).

But yeah, in the end we can only imagine what could be done with THESE latest vulnerabilities.

I’ve never been under the impression that my data or systems (or me) have been or are invulnerable. I just try to work to make it as expensive as possible to get at. And that deserves a small clarification: Expensive for them, while trying to minimize my cost. That last sentence there is why I would have to think long and hard and know the risks a bit better before accepting a patch that will reduce performance markedly just to protect against the uncertainty of a worst case scenario of just visiting a web site resulting in an upload of my RAM contents.

At best, doesn’t this seem like a situation where just browsers quickly need updating, and should not demand an installation of a hastily prepared kernel change or processor microcode fix?

5 users thanked author for this post.

I think there are different scenarios of threat. Targeting a specific fish, or many fish in a small barrel, or schools of fish + pods of whales + smears of jelly fish in a big ocean.

Every thing you say is true. But I also wonder about globally collecting a list of passwords that are actually in use. As opposed to all these password lists that are compiled from voluntary answers to polls of ‘what is your favorite password’. Such a list, even if anonymized by not being able to cross-reference usernames, would give better data for more dangerous algorithms in the future. Cloud-level, crowd-sourced algorithms.

2 users thanked author for this post.

Its not just browsers that will need a/more ongoing fixes though, and I will be holding off for as long as possible with other patches – at least until there is some assurance they will work and not wreck the computer! Its more than just javascript though, that is one easy attack vector that is speculated on and probably spectre will feature strongly with this. It probably would be tough to do these exploits, and this might help ordinary users, but no guarantee.

This one is a big deal and while waiting as long as possible is prudent, we need to keep an eye on it.
What worries me is that I read somewhere in the last few days that MS themselves have said that their patch won’t work without bios updates? Have read elsewhere this means most Windows users will not be patched anyway.

I also read someone’s response to a post where they said that if the exploit was running, heat processes would show it? Food for thought? For those that have more than one computer maybe separating their important stuff to mainly offline is a thought for the time being?

Unfortunately, you’ve probably already read about one of the most widespread security issues in modern computing history — colloquially known as “Meltdown” (CVE-2017-5754) and “Spectre” (CVE-2017-5753 and CVE-2017-5715) — affecting practically every computer built in the last 10 years, running any operating system. That includes Ubuntu.

I say “unfortunately”, in part because there was a coordinated release date of January 9, 2018, agreed upon by essentially every operating system, hardware, and cloud vendor in the world. By design, operating system updates would be available at the same time as the public disclosure of the security vulnerability. While it happens rarely, this an industry standard best practice, which has broken down in this case.

At its heart, this vulnerability is a CPU hardware architecture design issue. But there are billions of affected hardware devices, and replacing CPUs is simply unreasonable. As a result, operating system kernels — Windows, MacOS, Linux, and many others — are being patched to mitigate the critical security vulnerability.

4 users thanked author for this post.

My current understanding of the registry key for third party antivirus software is to prevent an incompatibility with the Windows kernel patch for Meltdown. As I understand it, the dual page fault testing that the patch imposes to prevent privileged memory reads was found to cause potential BSODs during testing because several third party antivirus programs make unsupported calls on kernel memory which can cause a BSOD with failure to reboot. I believe the January patch will not be offered through WU if the appropriate registry key is not set indicating that the antivirus software is compatible. MS says it may drop the requirement at such time as it believes that basically all antivirus programs have been made compatible. I do not know if you can manually download and install the patch but I would assume you would not want to do so until you were sure your antivirus software will not cause an unbootable BSOD.

The situation is quite fluid and some of what I am writing may need to be tweaked a bit as additional information becomes available. I am running AVG 2017 and they say that they are updating the registry key to indicate compatibility as of Jan/3/18.

2 users thanked author for this post.

Yes, we have found that to be correct.
An additional fact: Lack of the Registry key does not prevent the manual installation of the patches. So manual installation is risky if the AV is not compatible.

2 users thanked author for this post.

My current understanding of the registry key for third party antivirus software is to prevent an incompatibility with the Windows kernel patch for Meltdown.

Yes, but what happens if, for example, Bitdefender were to set the “all clear for update” registry key, but Malwarebytes Anti-Exploit was still incompatible? It would only work as intended if there’s only one anti-malware or other program on the PC that won’t work if the wrong memory paradigm is in effect. In this case, MBAE is meant to be used with a regular antimalware program; it is not itself designed for that purpose.

It’s also not inconceivable that other security software (HIPS, software firewalls, etc.) could also depend on the code being a specific way in order to function properly. Having a single program setting an “all clear” registry key would not suffice.

As for the other stuff, I was pondering the possibility of using the aforementioned registry key to act sort of as a manual control for the patch. From what has been written here, though, it does not seem that it would be as useful as I had hoped.

Group "L" (KDE Neon User Edition 5.15.3 & Kubuntu 18.04).

1 user thanked author for this post.

I was pondering the possibility of using the aforementioned registry key to act sort of as a manual control for the patch. From what has been written here, though, it does not seem that it would be as useful as I had hoped.

That thought had crossed my mind as well.

A few days ago I found the key set by MSE on my Win 7 system, so I renamed it to have the word “Disabled” in the name as an experiment. Sure enough, at some time since then it’s been regenerated. So either you have to disable your antivirus software, create a tool that competes with it, or just be selective about update installation and just not try to use this registry value to control anything.

And on a scary note, given that it’s being used to push a “bitter pill for your own good” patch on us, do we have to up our worry level that our own antivirus software is working more and more against us?

1 user thanked author for this post.

…Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack. Happily, the Raspberry Pi isn’t susceptible to these vulnerabilities, because of the particular ARM cores that we use.

4 users thanked author for this post.

Sort of think Moore’s Law pushed every chip maker into other areas to gain speed. Wouldn’t doubt Apple’s own ARM chips use a design heavily focused on this type of execution. Probably why Intel has managed to maintain a edge against AMD. Now thinking back to when Apple dumped Power PC chips from IBM they knew Intel had proven a better memory management design. Who knew that over a decade later we would find a flaw in that?

The Computer Emergency Response Team Coordination Center (CERT/CC) issued a security update that said the only way to protect against Spectre in particular would be to replace affected processors.

But on Thursday, the group deleted that recommendation. Its newly updated security bulletin simply says that “operating system and some application updates mitigate these attacks,” and provides a list of vendors that have updated their software to help guard against Meltdown and Spectre.

Below is what CERT deleted from their advisory. Was anyone unduly pressured ?

2 users thanked author for this post.

“In this post I will attempt to fully explain the Spectre and Meltdown vulnerabilities in an accessible way. I decided to write it up after I realised it took me more than a day to figure it out, even though I’ve been doing security related stuff on CPUs for 20 years.

You will find many explanations of Meltdown elsewhere. This document is as far as I know the only one so far that makes the hardest part of Spectre accessible.”

3 users thanked author for this post.

I’m convinced that there are no more than 100 people in the world who could put together a real Meltdown or Spectre attack. Not just demo code, but a genuine attack. And it’s most likely that the attacks reaching the general public will be Spectre attackes running JavaScript on browsers – not something esoteric in firmware or in the operating system itself.

Time will tell, I guess.

1 user thanked author for this post.

I finally read a bit of technical info on the links you provided, MrBrian. I didn’t want to spend too much time, as I thought experts could evaluate the real risk better and come up with better assessment in due time. I do not pretend I can have a clear understanding of the situation at all. However, I wanted to get a general idea myself to the extent I could understand in a little amount of time and then submit my hypothesis here.

From what I understand, the javascript attacks does seem to depend on having something in memory. Yes, they flush the cache or fill it with junk so that they can see what is next written in it by using timers, I get that. However, Javascript by itself is pretty limited and I am not sure it can trigger having for example (like it is mentioned in the example of the Spectre paper) the wifi password in cache. So, yes, you can read the cache easily, but you maybe can’t control that much what gets in the cache outside current process, so that would limit the scope of the attack a bit. Plus, what makes the info put in cache clear enough to be interpreted? Can it also be mixed with other info from one of those hundred plus processes of Win 10 that will compromise any attempt to interpret the data in reasonable time?

However, getting a trojan on the system could do much more harm, as the possibilities of triggering many OS functions indirectly and putting data into cache that way could maybe make it easy to retrieve private data not belonging to the user space. Perfect tool for spies, a combination of Spectre and a traditional malware. Maybe add some statistics and intense calling of the same functions to finally infer what data is what.

I just hope that this all means that if you generally patch your system and the javascript technique is limited due to the randomness of what will be in the cache will make this kind of attack on casual users of limited interest. Sure, it still might be easy to get data from session cookies and other browser processes that way, but trying to reassemble data read from cache when you can’t control the order it gets there and where it is stored seems to me like a difficult puzzle.

I might be completely wrong, but I feel like this vulnerability will be only truely useful if you get real code on the machine, like through a buffer overflow and by tricking a user to install the malware on his system and then you have some mean to control at least in part what gets in the cache. This is to me, already bad anyway to have malware in, so if you can generally protect yourself from those, the risk would be mitigated in good part?

I haven’t spent much time yet either trying to understand the technical details, but from reading the “Spectre & Meltdown: tapping into the CPU’s subconscious thoughts” link above it seems that the forbidden memory isn’t actually being read from the cache. Instead, the “bad” code invokes speculative execution of a “if forbidden memory location = a given value, then read allowed memory location” instruction. Later, the “bad” code times reads of the contents of the allowed memory location that it may or may not have read speculatively in the previous “if” instruction. If the read of the allowed memory location is really fast (due to being present in the memory cache), then the “bad” code makes the inference that the “if” instruction was true, and hence knows the value of the forbidden memory location. I hope I didn’t bungle my explanation too badly.

1 user thanked author for this post.

So you can easily check for any value possible in a forbidden location that way. That seems like it could be terrible, as you could dump whole segments of memory that way providing you can execute as many instructions as required to check for a certain value at a specific address while the protected content is not changed. This is very bad.

And if it is possible the create timers many other ways despite the quick fix browsers provided, this could be terrible and maybe not fixable, unless they could disable speculative execution entirely by a firmware update and thus slow down computers even more?

But returning quickly to the Spectre paper, I wasn’t able to see if what you just described also applied to the javascript code as well as normal machine code. I didn’t see any direct addressing to forbidden memory location in the javascript code and I am not familiar with assembly (I am a bit old, but too young to have studied it in school) to understand if there was an underlying consequence I don’t understand.

If that particular addressable aspect doesn’t apply to javascript, it would mitigate the risk of easily grabbing non random parts of memory by confining it to malware executing locally as this particular aspect would not apply to browsers and javascript? I am just trying to understand how in the javascript example, the memory grabbed is not from a random location. Maybe it is clear to you.

Again, I am very humble here and try to just understand. It’s been years I haven’t coded anything so please excuse me if it seems obvious from the code.

1 user thanked author for this post.

Ok, thanks. I see it in the example. I don’t see that the code knows where the address of the array is and although I don’t know javascript I would have thought it is not a language that should give that kind of information to you, but I guess it doesn’t matter, as you can iterate up or down and get whatever you want from physical memory even if you didn’t know exactly from where you start because array bound checks don’t matter at the level the vulnrability is. This is terrible and a genius idea.

What this all teach me is that we sometimes have very strong assertions about computer security than can be suddenly be shattered by something completely unexpected, as when I understood for the first time that a buffer overflow could in fact turn files or data in general into a virus and that all my level of comfort with security would go down a good notch. Previously, it seemed easy to not click on executable code you don’t trust. The game had changed. There is also this WPA2 vulnerability that changed some assumptions I had. And the next one might be the quantum computers breaking current encryption and for which we don’t seem to have an alternative.

We haven’t been lucky in the last two years with the SMB vulnerability too. It seems the situation in security is not improving, as creativity seems to work in the favor of bad guys and with agencies like the NSA loosing their vulnerability toolkits to hackers.

Maybe this Spectre vulnerability is only the first of a new field of discovery where it is much harder to patch design flaws because there is a physical aspect to it. That doesn’t look good for the future.

I am very impressed to see again how my expectations are shattered. Having some javascript code that would in theory be quite limited in capabilities even in the user space, that should have array bound checks, be able to use clever techniques to read memory from another VM, in fact any physical memory on the hardware, bypassing all levels of protection up to the hardware, is quite amazing and disturbing.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.